Vulnhub: Geisha 1 Walkthrough

Cool picture, I guess

Today we are working on Geisha: 1 from Vulnhub.com. This box is rated as an Beginner/Intermediate level.

Enumeration

We start with our nmap scans.

Much ado about nothing

There are quite a few ports open, pretty much all of them purporting to be web servers. Let’s just say I Dirbusted the hell out of all of these ports, including tcp/7125, which was also a web server although nmap didn’t identify it as so, and hit a dead end. I also investigated an exploit in Open LiteSpeed Server with no success.

Late in my Dirbusting, knowing this box creator, I kicked off a Hydra session to brute force ssh. I should have started with this.

This looks familiar

Hydra pretty quickly found the password of “letmein” to go with the user “geisha”. This is the same ssh password as the box in my previous walkthrough. OK, SunCSR Team, while I appreciate you making these CTF’s, maybe it is time to branch out from the same ssh brute force solution for every box.

Privilege Escalation

At any rate, we can ssh into the box with our new-found creds and proceed with our privesc. After some initial privesc checks, I ran linpeas.sh and quickly noticed that /usr/bin/base32 has SUID permissions

I heart linpeas

As you should always do with SUID binaries, check GTFOBins and we find that base32 can execute privileged file reads. Using the technique on GTFOBins, you can read the root flag and call it a day, however I’m always attempting to get a root shell. I first used the exploit to read /etc/shadow.

Once we have /etc/shadow, we can also read /etc/passwd and save both to our attacker box. Then we combine the files and try to crack the root password with hashcat.

Unfortunately, the root password isn’t in rockyou.txt. What else might we be able to read that will help us get a root shell? How about root’s private ssh key?

bingo!

Save the key to a file on our attacker box, do a ‘chmod 600’ and then try to ssh as root.

We got our root shell! Personally, I found this box a bit frustrating with all the rabbit-holes, although I will admit the box creator warned us on the download page. What did you think of this box? Drop me a comment.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store